360 million recently compromised passwords for sale online

Login credentials from multiple services available in underground crime forums.

Underscoring the insecurity of many online dating, job, and e-mail services, security researchers said that they have tracked almost 360 million compromised login credentials for sale in underground crime forums over the past three weeks.

The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches, according to a statement posted Tuesday by Hold Security. The biggest single list contained 105 million details, making it among the bigger online finds, the firm told Reuters. The cache included e-mail addresses that most likely served as user names and corresponding passwords. It remains unclear what service the account credentials unlock.

At 360 million, Hold Security's latest find is big enough that it likely also came from hacks on poorly secured Web service servers that store large caches of user credentials. The risk of these types of attacks are biggest for users who choose the same password for multiple services. Once an attacker has someone's e-mail address and password for one site, the credentials can be used to compromise every other site account that uses the same user name and password. Ars has long advised readers to use a long, randomly generated password that's unique for each online account. You can find a much more detailed how-to here.

Promoted Comments

I use a different password for every single account (about 100 of them) and save/sync them with Chrome (encrypted not with my Google credentials but with my own long passphrase). Important accounts (machine logins, banking, basically everything but boring website logins) are only in my head (with a paper backup), there's easily room for about a dozen passwords there...

I would say: Do not reuse passwords. Use long passwords (no need for much randomness, a unique sentence with no spaces is enough and easy to remember) for important accounts. Everything above that isn't going to give you much more security, anything below that is not enough.

"rememberthattheresathingliketoorandomtobeuseful" is a good password. You can use rainbow tables as much as you want but this basically is just too much of entropy to deal with while being still meaningful enough to remember it. Yes, it's made out of words, but the words are words like toora and mtob and this isn't going to help a lot...

"rememberthattheresathingliketoorandomtobeuseful" is a good password. You can use rainbow tables as much as you want but this basically is just too much of entropy to deal with while being still meaningful enough to remember it. Yes, it's made out of words, but the words are words like toora and mtob and this isn't going to help a lot...

Well, ironically since you said it's a good password, now it isn't.

Most credentials that are leaked are as usernames and hashed password pairs. What people do is take large lists of known passwords, compute the hashes for all of the known passwords, then compares the hashes with the hashes from the website breach. This is incredibly fast and relatively simple to do. From a pure bruteforce perspective, your password is a good choice, but there are dictionary attacks sophisticated enough and known password lists large enough to make cracking the password trivial.

Remember, the name of the game isn't just to make passwords that are long and difficult to bruteforce. For passwords to really be effective, they must be long, not contain any permutation of words and characters susceptible to dictionary or substitution algorithms (n0n3_0f_|h1S_cR@p), and they must have never shown up in a password list on the internet.